AthenZ · psasidhar · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/clients/go/zms/zms_schema.go b/clients/go/zms/zms_schema.go
diff --git a/clients/java/msd/src/main/java/com/yahoo/athenz/msd/MSDRDLGeneratedClient.java b/clients/java/msd/src/main/java/com/yahoo/athenz/msd/MSDRDLGeneratedClient.java
@@ -1066,7 +1066,7 @@ public TransportPolicySnapshots getTransportPolicySnapshots(String domainName, S
         }
     }
 
-    public TransportPolicySnapshot getTransportPolicySnapshot(String domainName, String serviceName, String snapshotName, String matchingTag, java.util.Map<String, java.util.List<String>> headers) throws URISyntaxException, IOException {
+    public TransportPolicySnapshot getTransportPolicySnapshot(String domainName, String serviceName, String snapshotName) throws URISyntaxException, IOException {
         UriTemplateBuilder uriTemplateBuilder = new UriTemplateBuilder(baseUrl, "/domain/{domainName}/service/{serviceName}/snapshot/{snapshotName}")
             .resolveTemplate("domainName", domainName)
             .resolveTemplate("serviceName", serviceName)
@@ -1078,24 +1078,12 @@ public TransportPolicySnapshot getTransportPolicySnapshot(String domainName, Str
         if (credsHeader != null) {
             httpUriRequest.addHeader(credsHeader, credsToken);
         }
-        if (matchingTag != null) {
-            httpUriRequest.addHeader("If-None-Match", matchingTag);
-        }
         HttpEntity httpResponseEntity = null;
         try (CloseableHttpResponse httpResponse = client.execute(httpUriRequest, httpContext)) {
             int code = httpResponse.getCode();
             httpResponseEntity = httpResponse.getEntity();
             switch (code) {
             case 200:
-            case 304:
-                if (headers != null) {
-                    if (httpResponse.getFirstHeader("ETag") != null) {
-                        headers.put("tag", List.of(httpResponse.getFirstHeader("ETag").getValue()));
-                    }
-                }
-                if (code == 304) {
-                    return null;
-                }
                 return jsonMapper.readValue(httpResponseEntity.getContent(), TransportPolicySnapshot.class);
             default:
                 final String errorData = (httpResponseEntity == null) ? null : getStringResponseEntity(httpResponseEntity);

diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
@@ -1174,13 +1174,13 @@ private static Schema build() {
 ;
 
         sb.resource("DomainMeta", "PUT", "/domain/{name}/meta/system/{attribute}")
-            .comment("Set the specified top level domain metadata. Note that entities in the domain are not affected. Caller must have update privileges on the domain itself. If the system attribute is one of the string attributes, then the caller must also have delete action on the same resource in order to reset the configured value")
+            .comment("Set the specified top level domain metadata. Note that entities in the domain are not affected. Caller must have update privileges on the domain itself. If the system attribute is one of the string attributes, then the caller must also have delete action on the same resource in order to reset the configured value. The authorization will be carried out in the server side based on the attribute. For all attributes, the system admin will have full access with authorize (\"update\", \"sys.auth:meta.domain.{attribute}.{name}\") but for \"enabled\" attribute we'll allow domain admins to enable/disable as well with authorize (\"update\", \"{name}:\"). We're handling the enabled attribute separately to avoid any issues with regular meta calls where the state can change accidentally causing unexpected incidents")
             .name("PutDomainSystemMeta")
             .pathParam("name", "DomainName", "name of the domain to be updated")
             .pathParam("attribute", "SimpleName", "name of the system attribute to be modified")
             .headerParam("Y-Audit-Ref", "auditRef", "String", null, "Audit param required(not empty) if domain auditEnabled is true.")
             .input("detail", "DomainMeta", "DomainMeta object with updated attribute values")
-            .auth("update", "sys.auth:meta.domain.{attribute}.{name}")
+            .auth("", "", true)
             .expected("NO_CONTENT")
             .exception("BAD_REQUEST", "ResourceError", "")
 

diff --git a/core/zms/src/main/rdl/Domain.rdli b/core/zms/src/main/rdl/Domain.rdli
@@ -199,13 +199,19 @@ resource Domain PUT "/domain/{name}/meta" {
 //are not affected. Caller must have update privileges on the domain itself.
 //If the system attribute is one of the string attributes, then the caller
 //must also have delete action on the same resource in order to reset the
-//configured value
+//configured value. The authorization will be carried out in the server side
+//based on the attribute. For all attributes, the system admin will have full
+//access with authorize ("update", "sys.auth:meta.domain.{attribute}.{name}")
+//but for "enabled" attribute we'll allow domain admins to enable/disable
+//as well with authorize ("update", "{name}:"). We're handling the enabled
+//attribute separately to avoid any issues with regular meta calls where the
+//state can change accidentally causing unexpected incidents
 resource Domain PUT "/domain/{name}/meta/system/{attribute}" (name=PutDomainSystemMeta) {
     DomainName name; //name of the domain to be updated
     SimpleName attribute; //name of the system attribute to be modified
     String auditRef (header="Y-Audit-Ref"); //Audit param required(not empty) if domain auditEnabled is true.
     DomainMeta detail; //DomainMeta object with updated attribute values
-    authorize ("update", "sys.auth:meta.domain.{attribute}.{name}");
+    authenticate;
     expected NO_CONTENT;
     exceptions {
         ResourceError NOT_FOUND;

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
@@ -2987,16 +2987,17 @@ public void putDomainSystemMeta(ResourceContext ctx, String domainName, String a
         attribute = attribute.toLowerCase();
         AthenzObject.DOMAIN_META.convertToLowerCase(meta);
 
-        // verify that request is properly authenticated for this request
-
-        Principal principal = ((RsrcCtxWrapper) ctx).principal();
-        verifyAuthorizedServiceOperation(principal.getAuthorizedService(), caller);
-
         if (LOG.isDebugEnabled()) {
             LOG.debug("putDomainSystemMeta: name={}, attribute={}, meta={}",
                     domainName, attribute, meta);
         }
 
+        // verify that request is properly authenticated for this request
+
+        Principal principal = ((RsrcCtxWrapper) ctx).principal();
+        verifyAuthorizedSystemMetaOperation(principal, domainName, attribute, caller);
+        verifyAuthorizedServiceOperation(principal.getAuthorizedService(), caller);
+
         // first obtain our domain object
 
         Domain domain = dbService.getDomain(domainName, true);
@@ -3051,6 +3052,32 @@ public void putDomainSystemMeta(ResourceContext ctx, String domainName, String a
         updateExistingDomainMetaStoreDetails(domainName, meta, changedAttrs);
     }
 
+    void verifyAuthorizedSystemMetaOperation(Principal principal, String domainName, String attribute, String caller) {
+
+        // For all attributes, the system admin will have full access with
+        // authorize ("update", "sys.auth:meta.domain.{attribute}.{name}")
+
+        final String systemResource = SYS_AUTH + ":meta.domain." + attribute + "." + domainName;
+        if (isAllowedSystemAccess(principal, ZMSConsts.ACTION_UPDATE, systemResource)) {
+            return;
+        }
+
+        // for "enabled" attribute we'll allow domain admins to enable/disable
+        // as well with authorize ("update", "{name}:"). We're handling the enabled
+        // attribute separately to avoid any issues with regular meta calls where the
+        // state can change accidentally causing unexpected incidents
+
+        if (ZMSConsts.SYSTEM_META_ENABLED.equals(attribute)) {
+            final String domainResource = domainName + ":";
+            if (hasAccess(getAthenzDomain(domainName, false), ZMSConsts.ACTION_UPDATE, domainResource,
+                    principal, null) == AccessStatus.ALLOWED) {
+                return;
+            }
+        }
+
+        throw ZMSUtils.forbiddenError("unauthorized to update system meta attribute: " + attribute, caller);
+    }
+
     void validateSolutionTemplates(List<String> templateNames, String caller) {
         for (String templateName : templateNames) {
             if (!serverSolutionTemplates.contains(templateName)) {

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSResources.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSResources.java
@@ -363,7 +363,7 @@ public void putDomainMeta(
     @Path("/domain/{name}/meta/system/{attribute}")
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
-    @Operation(description = "Set the specified top level domain metadata. Note that entities in the domain are not affected. Caller must have update privileges on the domain itself. If the system attribute is one of the string attributes, then the caller must also have delete action on the same resource in order to reset the configured value")
+    @Operation(description = "Set the specified top level domain metadata. Note that entities in the domain are not affected. Caller must have update privileges on the domain itself. If the system attribute is one of the string attributes, then the caller must also have delete action on the same resource in order to reset the configured value. The authorization will be carried out in the server side based on the attribute. For all attributes, the system admin will have full access with authorize (\"update\", \"sys.auth:meta.domain.{attribute}.{name}\") but for \"enabled\" attribute we'll allow domain admins to enable/disable as well with authorize (\"update\", \"{name}:\"). We're handling the enabled attribute separately to avoid any issues with regular meta calls where the state can change accidentally causing unexpected incidents")
     public void putDomainSystemMeta(
         @Parameter(description = "name of the domain to be updated", required = true) @PathParam("name") String name,
         @Parameter(description = "name of the system attribute to be modified", required = true) @PathParam("attribute") String attribute,
@@ -373,7 +373,7 @@ public void putDomainSystemMeta(
         ResourceContext context = null;
         try {
             context = this.delegate.newResourceContext(this.servletContext, this.request, this.response, "putDomainSystemMeta");
-            context.authorize("update", "sys.auth:meta.domain." + attribute + "." + name + "", null);
+            context.authenticate();
             this.delegate.putDomainSystemMeta(context, name, attribute, auditRef, detail);
         } catch (ResourceException e) {
             code = e.getCode();

diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSDeleteDomainTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSDeleteDomainTest.java
@@ -1290,6 +1290,8 @@ public void testDeleteWithMetaAttributes() {
                 "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser(), ctx.principal().getFullName());
         zmsImpl.postTopLevelDomain(ctx, auditRef, null, dom1);
 
+        ZMSTestUtils.setupSystemMetaAuthorization(zmsTestInitializer.getMockDomRsrcCtx(), zmsImpl,
+                ctx.principal().getFullName(), zmsTestInitializer.getAuditRef());
         DomainMeta meta = new DomainMeta();
 
         meta.setAccount("acct-1234");